From 34d1d8b9b8a7ceb3ba83a551c0011add16fcb1a8 Mon Sep 17 00:00:00 2001
From: Danielle Lancashire <dani@builds.terrible.systems>
Date: Mon, 19 Aug 2024 15:11:44 +0200
Subject: [PATCH] ca-secrets: Annotate secrets that are created by
 spin-operator

Eventually we will want to upgrade caBundles to new versions as
certificates expire/are rotated/new ca's form. We should however only do
that when we manage the resource that is created.

Here we introduce a managed-by annotation that we can use to ensure that
we don't replace user-managed secret bundles in the future.
---
 internal/controller/spinapp_controller.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/internal/controller/spinapp_controller.go b/internal/controller/spinapp_controller.go
index 1b3b939..1716702 100644
--- a/internal/controller/spinapp_controller.go
+++ b/internal/controller/spinapp_controller.go
@@ -238,6 +238,9 @@ func (r *SpinAppReconciler) ensureCASecret(ctx context.Context, caSecretName, na
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      caSecretName,
 			Namespace: namespace,
+			Annotations: map[string]string{
+				"app.kubernetes.io/managed-by": "spin-operator.spinkube.dev",
+			},
 		},
 		StringData: map[string]string{"ca-certificates.crt": cacerts.CACertificates()},
 	}